this works well! the fun begins however, when and if you want to have encrypted swap functioning with hibernation for a laptop without having to enter two passwords.
Spectacular video. Taught me that I was mounting my / directory with Btrfs incorrectly where I created the sub volumes but just treated the install like ext4. Definitely got me booted especially the look at how to set up grub. Thank you for this, I had a lot to learn!
Thank you so much that you did this remake having swap also encrypted. My best greetings from Germany to Switzerland. Du bist sooooo coooool Ermanno *Knuddel*
Thanks for a video! It is very useful. But could you please explain difference between swap partition and swap file? What benefits have one over another? I made my setup without swap partition but rather with @swap subvolume on BTRFS and I just placed swap file there. Then I need only one volume to encrypt.
Btrfs being a copy-on-write filesystem really doesn't like it when part of it is being used as swap, hence swap on btrfs is discouraged. To solve it you should shrink the btrfs filesystem, shrink the btrfs partition and allocate some space to a dedicated swap partition. Much easier if you're using LVM, could be a PITA if not.
Heard you released btrfs with luks install video.... Very nice. I would put a key backup to usb addendum. Anyone who has tried to add a drive later and wound up with key corruption will thank you for the ability to be able to restore. No that never happened to me ;) Been lurking, busy with arm cluster server setup for SOHO networks
Your videos are extremely helpful. Thank you. I have a question on how would I go about creating an encrypted system with 2 separate hard drives. One with encrypted root with btrfs and another with an encrypted home partition?
Thank you Ermanno for the compact video. Regarding the btrfs-module in the mkinitcpio.conf file: it is only required if your btrfs file system spreads over more than one device, i.e. RAID or more than one hard drive.
Hi Dominik, true, that is what I explained in the previous btrfs video as well. The problem with this, and many other btrfs installation aspects, is sometimes conflicting info. On the wiki itself, you find one installation page with btrfs with the hook added in the mkinitcpio.conf file, but then on another page you can read that no btrfs hook is necessary when installing on a single device. I’m trying to find out in the SuseLinux support page more info about this for future videos.
@@eflinux Thank you for your feedback. You are right, many conflicting instructions can be found. Thant's why I tested it out myself on multiple installations. My experience showed that the module is not needed on a single device btrfs installation. I am looking forward to learning from your findings in future videos. I enjoy your video contributions allot. Thank you so much for that!
Just an update that I've been running a luks crypted btrfs however with snapper with all the volumes and the entirety of many of your videos on the subject and it runs beautiful also I noticed how much faster than normal btrfs is! I've always used ext4 because it didn't do anything for me. It is about speed to me not backing up. All I'm concerned about backup is my personal things which I keep backups of to begin with 😂 thanks again Ermonno
Hey EF, I have a video idea for you. Why dont you make a video on encrypted arch install with /home on separate drive. A use for it will be for people like me who have an ssd and a hard drive and want /boot and / on the ssd and /home on the hdd. I would be very grateful if you can do that Regards, AK
There is problem with ebetables package which conflicts with iptables. So you can remove ebtables package from your list or add a line prior to installation of packages to remove iptables. Because ebetables is iptables-nft
So I've two HDD one of which is SSD and other is old HDD (non-SSD type)... can I then make home subvol in SSD with encryption and attach the old HDD to that home to house like download files, media etc with encryption of its own ofcourse...
Ciao, Ermanno! I have a couple of questions to this tutorial: 1. Can I make that swap encryption before installing grub? 2. What about resume - should i add it to configs (grub , mkinitcpio) or it's optional? I think hibernation is a good option to use :) Grazie!
Could you make a video about installing / making Arch work with Secure Boot? Something to cover signing the EFI binaries with secure boot keys, adding them to the UEFI, etc.
Good luck getting oems to sign Linux efi binaries, I doubt you can just sign your own binary defeats the whole point of secure boot if root kits can just sign there own key
There is this question that I cannot find an answer to: the fact that you are following the procedure to not have the suspend-to-disk function, means that every time the machine goes into suspend its state will be saved in ram rather than on the disk?
According to the Wiki that will not work "because dm-crypt and mkswap would simply overwrite any content on that partition which would remove the UUID and LABEL too".
I'm getting BTRFS error (device dm-0): cannot disable free space tree BTRFS error (device dm-0): open_crtee failed "mount: /mnt: wrong fs type, bad option, bad superblock on /dev/mapper/cryptroot, missing codepage or helper programm or other error"
Bruder, vielleicht solltest du Videos machen 1) für alle 2) für Leute mit mehr Verständnis. Ich folgte gut. Ich mochte die Herausforderungen ehrlich gesagt. aber danke für alles was du tust
Hey Ermanno, a long time haven't had time to watch your videos, but I also recommended your install vids, because they are really useful! Your install script is really cool! I was thinking if this could be useful for business to go full Linux also for working machines :)
@@eflinux I'm on arch since you helped me with some of your first videos and pretty happy with all that! I was thinking in terms of security and ease of use. Most software is already available for Linux in one way or another I'd say and cloud services help a lot here to overcome the rest. The idea compels me a lot and such a script for quickly set up a working station is really great. I'd say if one can add some remote or cronjobs for updates and so on, as well as a good "software centre" for users combined with a good looking DE, this could be a thing. Do you have experience with arch for business? I'm somehow worried about rolling distro here. Or would you recommend using Redhat or OpenSuse for business? Over the last videos, you got much more proficient in terms of Linux functions and so. Really great.
I work 95% of the time with Arch, but my setup is pretty simple, and I don't require much software. However, Arch requires maintenance, you need to be ready to take care of the system every single day and make sure you backup your data regularly. I have never experienced a crash or anything similar, but it's not a hands-free experience. RHEL or CentOS are very stable, but they might not support newer hardware as they use older kernels, for that you could try Fedora or Fedora Silverblue. On Silverblue you just have to install flatpaks and that's it. You can check out the video I did on that. OpenSUSE is also a great choice, it uses btrfs and snapper by default, and it works really well. In the end it comes down to personal preference.
Nice video, just what i needed, however i would like to see one with Full Encryption (including EFI partition if such exists) and instead of a Swap partition, i would like to see it with a SWAP file instead).
Hello! Thank you for your lessons! Did I understand correctly that the entire disk is encrypted, and if arch is installed next to windows, then it won't work?
Actually, no. Only the root and swap partitions are encrypted. You could make another one and install Windows on it. After installing Windows, since it *always* messes up GRUB, boot back into the Arch live environment, mount everything again, arch-chroot into your system the same as before, do "pacman -S os-prober" (no quotes), and then run the grub-install and grub-mkconfig commands again. The os-prober program should auto-detect Windows and add it to the GRUB config when running grub-mkconfig. After that, exit the chroot, reboot, and hope for the best. *If* everything worked, you should see Windows as one of the GRUB menu entries when you reboot, alongside Arch. Oh, and if you installed Windows first, when installing, don't delete it's partition, and just do "pacman -S os-prober" (no quotes) before running grub-mkconfig. I am not 100% sure if this will work, since I didn't test it, but i *think* it will. Hope this helps, and you get it working!
In Debian 11 installer, it's very complicated to encrypt Btrfs, the only option is with LVs, I hope I can see the same explanation for debian. Thank you.
I have tried this 4 times now and it doesn't seam to work for me. GRUB will load but when I select Arch all i get is this "ERROR: device 'dev/mapper/system' not found, skipping fsck mount: /new-root: special device dev/mapper/system does not exist. :: Tried Archinstall and it still gives the same error.. if I don't encrypt my nvme drive eveyrthing works fine..not sure why.
It seems to be the encrypted device was not configured properly in grub. I’m not sure if something has changed with recent updates. I’ll try it out again.
Create VM of existing install and put it on an external drive. Build system as per this video and copy YourVM.qcow2 to new encrypted BTRFS volume and start using it with KVM/QEMU.
3 роки тому+1
Great video as always. What I still don't get is why a normal user should bother with moving from the very well known ext4 filesystem to this "new" btrfs, I tried with Garuda but I found that it makes the boot process longer.
It really depends on preference and case scenario. BTRFS offers snapshots, which in some cases can be really handy, plus a lot more features. It's still developing and surely not as mature as ext4, but it will be more present in the future imho.
Hi ermano, in this tutorial you used grub to install the bootloader, now in one of your previous tutorials you used refind, can you do btrfs encrypted, + arch + refind bootloader instead of grub?
Hi Ermanno, I'm now trying to make a btrfs encrypted filesystem with snapshots and a seperate home partition. Would be great if could do a version of that!
@@eflinux I am really sorry would you mind give the link in this comment box...I can't find the link in your description (the link given in the description opens your private repository). Waiting for your reply.
hey, I followed this step by step, but instead of arch I installed artix with openrc and when I restart I always get grub rescue and it saying that my partition is uknown and it lists my UUID that I filled in the mkinitcpio.conf. any ideas how to fix this or is it just a way different steps on artix? cheers.
Amazing video! Really clear and easy to follow (and even experiment with, helped by the wiki, as I went with systemd-boot instead). Instantly subscribed!
I am not expert but before set type of encryption and flags for that you need some cryptsetup benchmark. wiki.archlinux.org/index.php/dm-crypt/Device_encryption BTRFS has support for swap file since Linux 5.0 here is nothing special, wiki.archlinux.org/index.php/Btrfs#Swap_file I think this is the best for that file system /etc/mkinitcpio.conf BINARIES=("usr/bin/btrfs")
There are several kinds of encryption you can choose from. On the video is just one possibility. Also, you can create of course a swapfile, again it’s another possibility.
On any subject, I always know beforehand that your explanation, if it already exists, will be the best! Thank you.
Thanks!
this works well! the fun begins however, when and if you want to have encrypted swap functioning with hibernation for a laptop without having to enter two passwords.
You have got to love that ext2 still is useful for something. :)
Cool! Glad to see that this is up. Still can't wait to see you do a full install in May using the newest iso in btrfs configuration. Have a great day!
Excellent video. Worked like a charm for me. I also installed plymouth following the arch wiki for encryption. I'm loving it. Thank you very much
My pleasure!
Backup your keys... If they get corrupted from say a power outage and they aren't backed up it sucks.
Spectacular video. Taught me that I was mounting my / directory with Btrfs incorrectly where I created the sub volumes but just treated the install like ext4. Definitely got me booted especially the look at how to set up grub. Thank you for this, I had a lot to learn!
Thank you so much that you did this remake having swap also encrypted. My best greetings from Germany to Switzerland. Du bist sooooo coooool Ermanno *Knuddel*
Thanks for a video! It is very useful. But could you please explain difference between swap partition and swap file? What benefits have one over another?
I made my setup without swap partition but rather with @swap subvolume on BTRFS and I just placed swap file there. Then I need only one volume to encrypt.
Btrfs being a copy-on-write filesystem really doesn't like it when part of it is being used as swap, hence swap on btrfs is discouraged. To solve it you should shrink the btrfs filesystem, shrink the btrfs partition and allocate some space to a dedicated swap partition. Much easier if you're using LVM, could be a PITA if not.
Heard you released btrfs with luks install video.... Very nice. I would put a key backup to usb addendum. Anyone who has tried to add a drive later and wound up with key corruption will thank you for the ability to be able to restore. No that never happened to me ;)
Been lurking, busy with arm cluster server setup for SOHO networks
Thanks for sharing Craig!
Your work continues to be great wiki type of material. Thank you sir.
My pleasure!
You deleted previous video when I was in the middle of it 🤣
This video is great and of course something I wanted.
Thank you!
Sorry about that :)
Another very useful tutorial, Ermanno, thank you very much.
My pleasure!
Your videos are extremely helpful. Thank you. I have a question on how would I go about creating an encrypted system with 2 separate hard drives. One with encrypted root with btrfs and another with an encrypted home partition?
Thank you Ermanno for the compact video. Regarding the btrfs-module in the mkinitcpio.conf file: it is only required if your btrfs file system spreads over more than one device, i.e. RAID or more than one hard drive.
Hi Dominik, true, that is what I explained in the previous btrfs video as well. The problem with this, and many other btrfs installation aspects, is sometimes conflicting info. On the wiki itself, you find one installation page with btrfs with the hook added in the mkinitcpio.conf file, but then on another page you can read that no btrfs hook is necessary when installing on a single device. I’m trying to find out in the SuseLinux support page more info about this for future videos.
@@eflinux Thank you for your feedback. You are right, many conflicting instructions can be found. Thant's why I tested it out myself on multiple installations. My experience showed that the module is not needed on a single device btrfs installation. I am looking forward to learning from your findings in future videos. I enjoy your video contributions allot. Thank you so much for that!
Thanks for YOUR feedback Dominik.
you are the crash chacho , you are the children ermmano , you are the who make a brighter day champion
Just an update that I've been running a luks crypted btrfs however with snapper with all the volumes and the entirety of many of your videos on the subject and it runs beautiful also I noticed how much faster than normal btrfs is! I've always used ext4 because it didn't do anything for me. It is about speed to me not backing up. All I'm concerned about backup is my personal things which I keep backups of to begin with 😂 thanks again Ermonno
I was waiting this video for so long. Thank you!
My pleasure!
You never made an instalation using ZFS... Still waiting for that! 👍👍
BTW great video!
That is going to take a while. It's quite complex.
Linus Torvalds "ZFS is not for linux." BTRFS is fully open source CoW linux solution.
Hey EF, I have a video idea for you. Why dont you make a video on encrypted arch install with /home on separate drive. A use for it will be for people like me who have an ssd and a hard drive and want /boot and / on the ssd and /home on the hdd. I would be very grateful if you can do that
Regards,
AK
Das würde mich auch interessieren, Ermanno!
LG
And ppl with nvme drives who need to add storage
The steps are the same. Your just mounting vdb instead of vda. With encryption you do still need to partition btrfs.
There is problem with ebetables package which conflicts with iptables. So you can remove ebtables package from your list or add a line prior to installation of packages to remove iptables.
Because ebetables is iptables-nft
Thanks for the info, I didn't have the time to research that yet.
So I've two HDD one of which is SSD and other is old HDD (non-SSD type)... can I then make home subvol in SSD with encryption and attach the old HDD to that home to house like download files, media etc with encryption of its own ofcourse...
Ciao, Ermanno! I have a couple of questions to this tutorial:
1. Can I make that swap encryption before installing grub?
2. What about resume - should i add it to configs (grub , mkinitcpio) or it's optional? I think hibernation is a good option to use :)
Grazie!
isn't it easier to create a swapfile and have it on the encrypted drive? or at least use LVM?
Could you make a video about installing / making Arch work with Secure Boot? Something to cover signing the EFI binaries with secure boot keys, adding them to the UEFI, etc.
Good luck getting oems to sign Linux efi binaries, I doubt you can just sign your own binary defeats the whole point of secure boot if root kits can just sign there own key
You have enabled discards=async as well as the fstrim service. Does both of them work well together or not?
There is this question that I cannot find an answer to: the fact that you are following the procedure to not have the suspend-to-disk function, means that every time the machine goes into suspend its state will be saved in ram rather than on the disk?
Thank you! You definitely make the most useful linux videos on youtube :)
Excellent as always.
What if I do this partition scheme on a ssd but want to use a larger hdd as /home? What should be changed?
You'll have to create a partition on your hdd and mount the home subvolume there.
Isn't it possible to give the swap partition a label with mkswap -L ... and refer to that label instead of using a bogus ext2 partition?
According to the Wiki that will not work "because dm-crypt and mkswap would simply overwrite any content on that partition which would remove the UUID and LABEL too".
I'm getting
BTRFS error (device dm-0): cannot disable free space tree
BTRFS error (device dm-0): open_crtee failed
"mount: /mnt: wrong fs type, bad option, bad superblock on /dev/mapper/cryptroot, missing codepage or helper programm or other error"
Yes, that is new. The problem is the space_cache option. Try to use space_cache=v2 and it will work.
@@eflinux
Thanks space_cache=v2 works. First time I added clear_cache option
how to use partitionless btrfs? grub has issues detecting it
Thanks you so much, this was super helpful and clear!!
Bruder, vielleicht solltest du Videos machen 1) für alle 2) für Leute mit mehr Verständnis. Ich folgte gut. Ich mochte die Herausforderungen ehrlich gesagt. aber danke für alles was du tust
wenn dann solltest du mal lieber auf Franzoesisch/Italienisch schreiben, soweit ich weiss spricht Ermanno kein Deutsch.
@@marcello4258 hahaha 🤣 really that's funny seeing he has responded back in German and most people there do speak German 😂
With an encrypted swap partition, does suspend and hibernate work ?
It depends on the method. In the wiki in the video description both are described.
I couldnt understand how encrypting the swap partition required to change the address of the vda3 partition. Why that happens?
It required the change of the vda2 partition, not vda3.
@@eflinux oh, now that makes sense.
Hey Ermanno, a long time haven't had time to watch your videos, but I also recommended your install vids, because they are really useful! Your install script is really cool!
I was thinking if this could be useful for business to go full Linux also for working machines :)
Hey Dennis! It all depends on which software you need to work with.
@@eflinux I'm on arch since you helped me with some of your first videos and pretty happy with all that! I was thinking in terms of security and ease of use. Most software is already available for Linux in one way or another I'd say and cloud services help a lot here to overcome the rest. The idea compels me a lot and such a script for quickly set up a working station is really great. I'd say if one can add some remote or cronjobs for updates and so on, as well as a good "software centre" for users combined with a good looking DE, this could be a thing.
Do you have experience with arch for business? I'm somehow worried about rolling distro here. Or would you recommend using Redhat or OpenSuse for business?
Over the last videos, you got much more proficient in terms of Linux functions and so. Really great.
I work 95% of the time with Arch, but my setup is pretty simple, and I don't require much software. However, Arch requires maintenance, you need to be ready to take care of the system every single day and make sure you backup your data regularly. I have never experienced a crash or anything similar, but it's not a hands-free experience. RHEL or CentOS are very stable, but they might not support newer hardware as they use older kernels, for that you could try Fedora or Fedora Silverblue. On Silverblue you just have to install flatpaks and that's it. You can check out the video I did on that. OpenSUSE is also a great choice, it uses btrfs and snapper by default, and it works really well. In the end it comes down to personal preference.
@@eflinux thanks i'll give it a try to play around first
Nice video, just what i needed, however i would like to see one with Full Encryption (including EFI partition if such exists) and instead of a Swap partition, i would like to see it with a SWAP file instead).
swapfile is deprecated. Also you should not encypt the EFI (boot) partition as it will lead to the system not being able to boot at all.
@@eli1882 Swap files are not deprecated
watching this video just after installing arch.
Hello! Thank you for your lessons! Did I understand correctly that the entire disk is encrypted, and if arch is installed next to windows, then it won't work?
Actually, no. Only the root and swap partitions are encrypted. You could make another one and install Windows on it. After installing Windows, since it *always* messes up GRUB, boot back into the Arch live environment, mount everything again, arch-chroot into your system the same as before, do "pacman -S os-prober" (no quotes), and then run the grub-install and grub-mkconfig commands again. The os-prober program should auto-detect Windows and add it to the GRUB config when running grub-mkconfig. After that, exit the chroot, reboot, and hope for the best. *If* everything worked, you should see Windows as one of the GRUB menu entries when you reboot, alongside Arch. Oh, and if you installed Windows first, when installing, don't delete it's partition, and just do "pacman -S os-prober" (no quotes) before running grub-mkconfig. I am not 100% sure if this will work, since I didn't test it, but i *think* it will. Hope this helps, and you get it working!
In Debian 11 installer, it's very complicated to encrypt Btrfs, the only option is with LVs, I hope I can see the same explanation for debian.
Thank you.
Thank you!!! Great video!!!
Please, you know how can I encrypt root filesystem in btrfs?
I have tried this 4 times now and it doesn't seam to work for me. GRUB will load but when I select Arch all i get is this "ERROR: device 'dev/mapper/system' not found, skipping fsck mount: /new-root: special device dev/mapper/system does not exist. :: Tried Archinstall and it still gives the same error.. if I don't encrypt my nvme drive eveyrthing works fine..not sure why.
It seems to be the encrypted device was not configured properly in grub. I’m not sure if something has changed with recent updates. I’ll try it out again.
@@eflinux I managed to solve the issue, it was either a bad USB stick or the ISO got corrupted. tried new usb and iso and it worked perfectly now
does this work with UEFI ?
The sad thing is, I can't reinstall my all system just for encryption or using btrfs....
Any options ??
Not that I can think of.
Create VM of existing install and put it on an external drive. Build system as per this video and copy YourVM.qcow2 to new encrypted BTRFS volume and start using it with KVM/QEMU.
Great video as always. What I still don't get is why a normal user should bother with moving from the very well known ext4 filesystem to this "new" btrfs, I tried with Garuda but I found that it makes the boot process longer.
It really depends on preference and case scenario. BTRFS offers snapshots, which in some cases can be really handy, plus a lot more features. It's still developing and surely not as mature as ext4, but it will be more present in the future imho.
EXT4 is a journaling filesystem and BTRFS is a CoW volume management filesystem. So adding new drives becomes a snap. Backups as well.
You have a lot to learn.
Hi ermano, in this tutorial you used grub to install the bootloader, now in one of your previous tutorials you used refind, can you do btrfs encrypted, + arch + refind bootloader instead of grub?
Swap partition is like a glass jar (physical container for storage). The swapfile is like the sugar you put in the jar (data).
@@craigstone975 you wrote that answer to the wrong comment
video mbr btrfs ?
i have a suggestion!
do a full KISS linux install :)
How to do it with swap files?
The procedure is slightly different, and it's described here for the btrfs fs: wiki.archlinux.org/index.php/btrfs#Swap_file
Please add subtitles to UA-cam
Hi Ermanno, I'm now trying to make a btrfs encrypted filesystem with snapshots and a seperate home partition. Would be great if could do a version of that!
Superb video
👍👍
Hi!!Your gitlab say its locked
You need to use the public repository, not the private one.
@@eflinux I am really sorry would you mind give the link in this comment box...I can't find the link in your description (the link given in the description opens your private repository). Waiting for your reply.
Here we go: gitlab.com/eflinux/arch-basic
hahhahaah i already saw the last one B)
hi uwu
hey, I followed this step by step, but instead of arch I installed artix with openrc and when I restart I always get grub rescue and it saying that my partition is uknown and it lists my UUID that I filled in the mkinitcpio.conf. any ideas how to fix this or is it just a way different steps on artix? cheers.
Amazing video! Really clear and easy to follow (and even experiment with, helped by the wiki, as I went with systemd-boot instead). Instantly subscribed!
I am not expert but before set type of encryption and flags for that you need some cryptsetup benchmark.
wiki.archlinux.org/index.php/dm-crypt/Device_encryption
BTRFS has support for swap file since Linux 5.0 here is nothing special,
wiki.archlinux.org/index.php/Btrfs#Swap_file
I think this is the best for that file system
/etc/mkinitcpio.conf
BINARIES=("usr/bin/btrfs")
There are several kinds of encryption you can choose from. On the video is just one possibility. Also, you can create of course a swapfile, again it’s another possibility.